Adobe has patched Flash twice in two weeks now. The reason for this was due to Hacking Team, an Italian company that sells hacking tools to government agencies, getting hacked. Hacking Team, it turns out, knew of at least three unpatched vulnerabilities (also known as “zero-days” or “0days”) in Flash, and exploits for these vulnerabilities were among the things that got breached.
That’s why Adobe is having a bad month.
Hacking Team had a target on its back because it wasn’t particularly choosy about what governments it sold its tools to. Of course they sold to NATO countries, but they also sold to countries like Bahrain and Sudan, whose human rights records are the worst in the world at the moment.
Breaching the company confirmed that they had indeed sold their goods to the worst of the worst, but it also had the side effect of releasing government-grade 0days into the wild, where every script kiddie in the world could get his hands on them. It also doesn’t really stop oppressive governments from using the tools in the short term, although over time it will diminish their value as researchers find the exploits and turn them over to the vendors of the affected products.
Indeed, in the long run, having access to the source code of a top-drawer government-grade exploit toolkit will improve security for everyone. But in the short term, people like me are going to have a lot of headaches because the bad guys are looking at this just as much as the good guys are.
Flash in particular is having a bad time of it. Facebook’s new CSO, Alex Stamos (formerly of Yahoo), came right out and called for Adobe to discontinue Flash altogether. Mozilla took the unprecedented step of disabling it, and Chrome has been disabling all but the very most recent version of it–minutes after the new version comes out.
Increasingly we don’t really need Flash. Since it’s never been possible to run Flash on Apple’s mobile devices, many sites have been using HTML5 for Flash-like content since they don’t want to provide a substandard experience to Apple users, who are both numerous and sought after by advertisers. Frequently you can uninstall Flash from a computer and sites will just switch over to HTML5. If not, making your browser lie about being an Ipad will force the HTML5 issue.
I’ve wanted Flash to die since about 1997, so I won’t be sorry to see it go.
But in the meantime, since yesterday was Patch Tuesday, be sure to apply your patches. And don’t be too shocked if there’s another round of out-of-band patches that roll out in the weeks to come, whether from Microsoft, Adobe, Apple, Google or Oracle. Oracle is still working on an issue from the Hacking Team dump, and more Microsoft and Adobe and Google Chrome issues can still surface. Apple had some issues as well, which, as far as I know, haven’t been updated yet, so don’t be surprised if Apple releases updates to OS X and IOS as well. As for Android, you’re at the mercy of your carrier there, which is why Google has been trying to wrest as much control from the carriers and OEMs as it can. Maybe the Hacking Team scandal will be what it takes for Google to get Android where it needs to be.